PIA from a fixed location in Windows
Hi,
I'd like to add my 2 cents into well-known problem of PIA with firewall/AV software when it runs from a temp folder location.
Background: I have Agnitum Security Suite installed and as reader may have guessed it doesn't like "malware'ish like" activity of PIA application. What I mean by that is when pia_manager is executed it creates folders in Windows temp directory, one of which contains an unsigned executable (rubyw.exe) and tries to run it. One more time: every time you run pia_manager.exe -> creates a temp folder and runs unsigned exe. For AV software this behaviour is very suspicious, I assume this is a "malware dropper"-like behaviour - http://en.wikipedia.org/wiki/Dropper_(malware). I wanted to run the application from a persistent location, so I could create system/network rules for rubyw.exe (unsigned, duh) explicitly.
Why temp folder is used?
PIA application was developed using Ruby. Skipping the "Why?" (including the "but it runs on Win/Lin/Mac") part we end up with question "How to execute Ruby application on client PC?", to avoid headaches PIA developer(s) decided to use OCRA tool (http://ocra.rubyforge.org/), which basically packages Ruby files into a single executable. When executed it extracts the content to "specific" location and then runs by specifying command line to Ruby interpreter.
Its documentation states: "The 'current working directory' is not changed by OCRA when running your application. You must change to the installation or temporary directory yourself." I don't have experience with Ruby, neither OCRA, but I speculate with it might have been possible to specify the fixed directory. But even so, the executable would extract files into fixed directory and files will be overwritten (maybe there is a switch "Don't overwrite"?) and decent AV software will detect that executable has changed and will start complaining again, but now one should be able to add that fixed path to "Exclusions" list. When I contacted support, I was suggested to white list "rubyw.exe" etc. But then what? I can rename any malware to rubyw.exe and it will be skipped unless AV software will somehow "figure out" that the newly created executable is the same as the one from "yesterday"? 
Anyway, I wanted to keep component and executable control "ON" in my AV software and do not add to "allow all" exclusions the unsigned binary of rubyw.exe.
How the "fixed" location part could be addressed?
Well, not to use the temp folder in the first place and run rubyw.exe with parameters directly. This is what I did by developing a small launcher application. My findings are based on several hours of research.
You will need administrative privileges to perform these operations and .NET Framework 2.0 to run the application:
1) Run PIA application, let it start
2) Now you need to find the temp directory created by PIA, it has a patter like C:\Users\YOUR_USER_NAME\AppData\Local\Temp\ocrXXXX.tmp\
YOUR_USER_NAME <-- this is YOUR username
XXXX <-- randomly generated alphanumeric value, but you should be able to find that folder easily, for example, I had: C:\Users\SHUKHR~1\AppData\Local\Temp\ocrF22C.tmp
So, find this temp folder, it will contain 3 folders: bin, lib and src, keep it open
3) Now open location where PIA is installed, in my case it was installed to "c:\Program Files\pia_manager" (I will refer to this location as "PIA directory" from now on)
Copy those 3 folders (bin, lib and src) to PIA directory
4) Exit PIA application
5) Next rename pia_manager.exe to pia_manager.exe_ so that you have a backup copy
6) Download a zip file from my PC - REDACTED AS NOT NEEDED ANYMORE
Unpack and copy following files (from attachment) into PIA directory:
\PIA_manager\bin\Release\pia_manager.exe
\PIA_manager\bin\Release\pia_manager.exe.config
HEY! WHAT IS THIS? ANOTHER EXECUTABLE? I DON'T TRUST YOU!
Yes and that's good that you don't trust any unsigned executables, that is why I've provided the source code for the program, you can download a free version of Visual Studio 2012 and compile it yourself. I've provided the executable only for the most lazy ones You can use ILSpy or Reflector to see its content and compare to source code. So, no hidden surprises.
If you have done everything correctly, from now on it should run from PIA directory.
I have tested on my Win8.1 box.
Thank you!
P.S: provided as is, feel free to use the source code for your own needs
Comments
So I am putting some mirrors up if Step 6 ever Fails.
This is the Exact File Supplied by Shukhrat Nekbaev in this post.
Here are the Hashes
SHA1: AD5F05FE79749F360237475E9D459AB3C0CBA41E
MD5: ACBA4604DE63D18211C3928BFEDEE19A
CRC32: CD8C089B
File: pia_manager.zip ( 55 kB )
Here are the Mirrors
----
Thanks a lot Shukhrat for figuring this out for us!
Those are the correct checksums from FinDev's post.
The zips are identical.
Thank you @Jason_Todd.
Now PIA_Manger runs from the main installation directory and my firewall now works great with the Ruby exe.
My firewall is the standard Win7 firewall with the Binisoft Windows Firewall Control app.
f0278f64, did you follow the FinDev instructions as once you move the ocr*.* folders to the PIA installtion folder and replace the pia_manager exe then there should be nothing happening in the temp folder.
Is it the case that the only material difference might be the path to temp in Win 7 includes the more elegant 'users' rather than the clomping and fatuous 'Documents and Settings'? If so can the variability be handled by an .ini or other config plaintext file that the user can tweak?
tia
ie if FinDev compiled exe is independent of PIA update or does the FinDev exe need to be revamped each time PIA update the client.
It works for now and costs you nothing. Take it or leave it.
For such a big company PIA are slow on updates/support/fixes/improvemts with their client. Yes it would be nice if PIA did a fixed location update clinet that was rock solid. Like you say OmniNegro - Take it or leave it.